On 5/22/2014 12:41 PM, Steve Murphy wrote:
So, these defenses can be employed to stop/ameliorate such hacking efforts:1. Keep your phones behind a firewall. Travellers, beware! Never leave the default login info of the phone at default! 2. Never use the default provisioning URL for the phone, with it's default URL or password. 3. Use fail2ban, ossec, whatever to stymie any brute force mac address searches. 4. Use your firewalls to restrict IP's that can access web, ftp, etc, for provisioning to just those IP's needed to allow your phones to provision. 5. Keep your logs for a couple years. 6. Change your phone SIP acct passwords now, if you haven't implemented the above precautions yet. If I missed a previous post on this, forgive me. Just thought you-all might appreciate a heads-up.
Encrypt your provisioning system if the phone supports it. I had a cable/voip service provider who HTTPS provisioned by MAC without encryption and the provisioning URL was stored, unlocked, in the ATA. Had I been slightly more nefarious, I could have walked the the provisioning tree nice and slow and easily grabbed everyone's SIP credentials in the clear.
No hacking or cracking was involved. The ATA doubled as the NAT router they handed out and gave the admin password out freely.
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
